Rootless podman fails to run

coldboot · February 12, 2025, 1:05pm

I’m attempting to run podman as a normal user, but it fails with the error “mkdir /run/user/$(id -u): permission denied”.

Here is my whole setup; I’m not sure what is missing.

~/.config/containers/storage.conf :

[storage]
driver = "overlay"
runroot = "/run/user/1000/podman"
graphroot = "/home/DEVEL/podman/storage"
[storage.options]
additionalimagestores = [
]
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,metacopy=on"
[storage.options.thinpool]
 autoextend_percent = "20"
 autoextend_threshold = "80"
 basesize = "10G"
 blocksize="64k"
 fs="xfs"
 log_level = "3"
 min_free_space = "10%"
 use_deferred_removal = "True"
 use_deferred_deletion = "True"
 xfs_nospace_max_retries = "0"

/etc/sub[gu]id :

tangent:100000:65536
dockremap:100000000:100000001
tangent:100000:65536
dockremap:100000000:100000001

libcap/getcap :

/usr/bin/newuidmap cap_setuid=eip
/usr/bin/newgidmap cap_setgid=eip

User information :

# id tangent
uid=1000(tangent) gid=100(users) groups=108(libvirt),36(kvm),484(disk),107(qemu),476(systemd-journal),1000(docker),100(users)

runroot ownership :

# ls -l /run/user/
total 0
drwx------ 14 tangent users 460 Feb 12 17:59 1000

podman error :

# podman info Error: mkdir /run/user/$(id -u): permission denied
strace :

# strace -f -e trace=unshare,setns,clone /usr/bin/podman system service
setns(5, 0)                             = 0
setns(6, 0)                             = 0
strace: Process 10550 attached
strace: Process 10551 attached
strace: Process 10552 attached
strace: Process 10553 attached
strace: Process 10554 attached
strace: Process 10555 attached
strace: Process 10556 attached
[pid 10556] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
strace: Process 10557 attached
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
strace: Process 10558 attached
[pid 10553] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10557] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
strace: Process 10559 attached
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10557] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10556] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10552] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10559] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
[pid 10549] --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=10549, si_uid=0} ---
Error: mkdir /run/user/$(id -u): permission denied
[pid 10559] +++ exited with 125 +++
[pid 10558] +++ exited with 125 +++
[pid 10557] +++ exited with 125 +++
[pid 10556] +++ exited with 125 +++
[pid 10555] +++ exited with 125 +++
[pid 10554] +++ exited with 125 +++
[pid 10553] +++ exited with 125 +++
[pid 10552] +++ exited with 125 +++
[pid 10551] +++ exited with 125 +++
[pid 10550] +++ exited with 125 +++
+++ exited with 125 +++

My systemd service and socket files :

# cat ~/.config/systemd/user/podman.service 
[Unit]
Description=Podman Container Manager
After=network.target

[Service]
Restart=on-failure
ExecStart=/usr/bin/podman start --auto-update
ExecStop=/usr/bin/podman stop --all
Type=simple
User=1000 

[Install]
WantedBy=default.target

[Unit]
Description=Podman API Socket
Requires=podman.service
After=podman.service

[Service]
Type=simple
ListenStream=%t/podman/podman.sock
ExecStart=/usr/bin/podman system service -t 0 
Restart=on-failure
User=1000 

[Install]
WantedBy=sockets.target

Existing ACL :

# # getfacl /run/user/$(id -u)
getfacl: Removing leading '/' from absolute path names
# file: run/user/1000
# owner: tangent
# group: users
user::rwx
user:tangent:rwx
group::---
mask::rwx
other::---

Is there a bug, or I messed up somewhere?

coldboot · February 17, 2025, 10:38am

I reinstalled podman, set up a new storage directory, and it worked.

system · February 24, 2025, 10:39am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.